On January 22nd, SonicWall disclosed that a previously undiscovered vulnerability was exploited to attack their Secure Mobile Appliances internally. Soon after that, NCC Group discovered another previously unknown vulnerability being exploited in the wild affecting SMAs. SonicWall has confirmed that customers can utilize the Web Application Firewall (WAF) to detect and prevent the exploit. Patches are now available, and SonicWall recommends that all customers update their appliances as soon as possible. Details from the NCC group indicate the flaw results in an authentication bypass for the management interface, similar to the widely-exploited vulnerabilities that affected F5 and Citrix devices in 2020.
From the details gathered by BleepingComputer, SonicWall administrators with logging enabled should be looking for requests to /cgi-bin/management (from the VPN) from sources that have not previously made successful authentication requests to /__api__/v1/logon or /__api__/v1/logon/authenticate (from the internet externally). For SonicWall customers who utilize SMAs 100, 200, 210, 400, and 410, the management appliance mustn’t be accessible over any externally facing interfaces and the patch should be installed as soon as possible. Alongside patching, forwarding logs from the appliances mentioned above to a centralized logging server or SIEM should be implemented for monitoring and detection.
SonicWall fixes actively exploited SMA 100 zero-day vulnerability (bleepingcomputer.com)